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About This Guide 


This guide includes information on the Novell® Netldentity agent. The NetIdentity agent provides 
a secure identity wallet on the workstation so that applications that require eDirectory™ 
authentication can access these credentials and bypass asking users for their usernames and 
passwords. 


The following topics are included in this documentation: 
+ Chapter 1, “NetIdentity Agent Overview,” on page 9 
+ Chapter 2, “Configuring Servers and Workstations,” on page 11 


+ Chapter 3, “Troubleshooting Netldentity Agent,” on page 15 


Documentation Updates 


The latest version of this Net/dentity Administration Guide for NetWare 6.5 is available on the 
NetWare 6.5 documentation Web site (http://www.novell.com/documentation/lg/nw65). 


Documentation Conventions 


In this documentation, a greater-than symbol (>) is used to separate actions within a step and items 
within a cross-reference path. 


A trademark symbol (Y TM, etc.) denotes a Novell trademark. An asterisk (*) denotes a third-party 
trademark. 


When a single pathname can be written with a backslash for some platforms or a forward slash for 
other platforms, the pathname is presented with a backslash. Users of platforms that require a 
forward slash, such as UNIX*, should use forward slashes as required by your software. 
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Netidentity Agent Overview 


The Netldentity agent works with eDirectory™ authentication to provide background 
authentication to Windows* Web-based applications that require eDirectory authentication, such 
as iPrint, Novell® Portal Services, eGuide, Novell Virtual Office, ZENworks®, NetStorage, and 
iManager. NetIdentity provides a secure identity wallet on the workstation so that applications that 
require eDirectory authentication can access these credentials and bypass asking users for their 
usernames and passwords. 


NOTE: Netldentity browser authentication is supported only by Windows Internet Explorer. It is not supported 
by Apple* or NetScape* Navigator*. 


If the agent software is installed on the workstation and users authenticate to eDirectory through 
Novell Client™ login or through a Web-based application that uses the NetIdentity agent, users 
will not be prompted to log in when opening another application that requires eDirectory 
authentication. 


NOTE: The Novell Client provides authentication credentials to Netldentity but does not obtain authentication 
credentials from Netidentity because it is not a Web-based application. 


In order to take advantage of NetIdentity, you must have the NetIdentity agent installed on the 
workstations and the XTier framework installed on the NetWare® 6.5 servers in the tree that are 
associated with the host used in the URL for the Web-based applications. See Chapter 2, 
“Configuring Servers and Workstations,” on page 11. 


Netldentity Agent Overview 9 


10 Netldentity Administration Guide for NetWare 6.5 


Configuring Servers and Workstations 


In order to take advantage of NetIdentity, you must have the NetIdentity agent installed on the 
workstations and the XTier framework installed on the NetWare® 6.5 servers in the tree that are 
associated with the host used in the URL for the Web-based applications. 


Checking Server Configuration 


Netldentity relies on the XTier framework used in several Novell® products. If you want 
Netldentity to background authenticate so that users do not need to enter their credentials multiple 
times, XTier needs to be installed on all NetWare 6.5 servers in the tree that is identified by the 
host used in the URL for the Web-based applications. For example, if you have multiple servers in 
the tree that users authenticate to when printing via iPrint, each of these servers must be running 
XTier. 


Or, if users access their files through NetStorage and a Web browser, XTier must be implemented 
on every server that supports the DNS name that users specify to access files. For example, if users 
specify http://www.digitalair.com/oneNet/NetStorage, every server configured to support 
www.digitalair.com (the host) must have XTier. 


Installing the XTier Framework in NetWare 6.5 


XTier is installed as a component when installing the Network Attached Storage Server pattern 
installation or Virtual Office pattern installation. Or, if you select the Customized NetWare Server 
installation, make sure you install the Apache, Tomcat, and NetStorage products along with any 
other services you choose to install. These components can be installed after the initial installation 
of NetWare. 


For more information on NetWare 6.5 server installation options, see “Installing a New NetWare 
6.5 Server” in the NetWare 6.5 Overview and Installation Guide. 


Checking for the XTier Framework in NetWare 6.5 


If you are unsure if an existing NetWare 6.5 server is running XTier and can take advantage of 
Netldentity, check the server by completing the following steps: 


1 Open Internet Explorer. 


2 In the address box, type 
http: //dnsname_of_the_server/oneNet/xtier-—login. 


If an authentication dialog box appears, the server is running XTier and can utilize credentials 
passed to it by the NetIdentity wallet. 


If you have NetWare 6.0 servers in your network, some services take advantage of the XTier 
framework and others do not. In NetWare 6.0, the services that take advantage of XTier are 
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ZENworks® for Servers 4, Novell® Application Launcher, and NetStorage. These services can 
utilize credentials passed to them by the NetIdentity wallet. 


Using Certificates for SSL 


In order to secure the authentication credentials, NetIdentity takes advantage of SSL certificates 
located on the workstation or the server. Without a valid certificate, NetIdentity cannot process 
requests for authentication and users will be prompted to enter their usernames and passwords each 
time they start anew Web-based application. 


IMPORTANT: If an SSL certificate is not available, users who have logged in to the network are not 
automatically authenticated to Web-based applications that take advantage of the Netldentity wallet and no 
message appears telling them that Netidentity is not passing their credentials. They will be prompted to enter 
their username and password by each Web-based application. 


To use Novell certificates with a Web browser to do SSL, follow the procedure listed at 
“Configuring Microsoft Internet Explorer (IE) for SSL with Novell Certificates in the Novell 
Certificate Server 2.5.2 Administration Guide. This procedure requires that a certificate signed by 
the Organizational Certificate Authority be installed into each Internet Explorer’s certificate store. 
Besides the listed procedure, there are other ways to populate the browser's certificate store, such 
as prepopulating the certificate store before distributing the browser or using ZenWorks. 


Another option that would save you the effort of installing a certificate on each browser would be 
to create a Server Certificate (KMO) that contains the trusted root certificate signed by a popular 
third-party Certificate Authority and configure your Web-based applications to use that Server 
Certificate for SSL transactions. 


To create a Server Certificate (KMO) that contains the trusted root certificate signed by a popular 
third-party Certificate Authority: 


1 In Novell iManager, create a Server Certificate object (KMO) using the Custom option and 
select Third-party Certificate Authority as the signing authority. 


See “Creating Server Certificate Objects” in the Novell Certificate Server 2.5.2 
Administration Guide 


2 Send the Certificate Signing Request (CSR) to your third-party Certificate Authority. 
They will return some certificates to you. 
3 Import the trusted root certificate into the newly created Server Certificate object (KMO). 


Follow the procedure listed in “Server Certificate Object Tasks” in the Novell Certificate 
Server 2.5.2 Administration Guide 


4 Configure your Web-based applications to use the new Server Certificate object (KMO) for 
SSL transactions. 
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The NetIdentity agent can be installed with Novell Client™ for Windows 95/98 version 3.4 and 
Novell Client for Windows NT*/2000/XP version 4.9 by creating a customized unattend file using 
Novell Client Install Manager (nciman.exe). This file and the Novell Client can then be deployed 
using one of several network installation methods. Or, you can deploy Novell Client to individual 
workstations using an unattend file. For more information on using an unattend file, see "Installing 
Clients from the Network" (http://www.novell.com/documentation/lg/noclienu/ 
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index.html?page=/documentation/lg/noclienu/noclienu/data/h2tp1v4b.html) in the Novell Client 
for Windows Installation and Administration Guide. 


If you do not plan to install Novell Client software but you still want to install the NetIdentity 
agent, you can install the software separately from the Novell Clients Software CD. 


1 Insert the Novell Clients Software CD. 
2 Locate the NetIdentity agent on the list of software that can be installed. 


3 Follow the on-screen installation instructions. 


Uninstalling the Netidentity Agent 


You can uninstall the NetIdentity Agent through Add/Remove Programs. If you uninstall Novell 
Client, NetIdentity is not uninstalled at the same time. 


Logging Out 


The Netldentity agent retains credentials for a period of 24 hours or until the workstation is shut 
down. If NetIdentity received credentials from Novell Client, the credentials are removed from the 
Netldentity wallet when the user detaches from the primary network connection by right-clicking 
the N menu in the system tray and then clicking NetWare Connections. Or, you can log out of the 
workstation. 
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Troubleshooting Netidentity Agent 


This section contains information on common troubleshooting issues. In addition to this 
information, additional information is located in Technical Information Documents (TIDs) 
available in the Knowledgebase on the Novell® Support Web site (http://support.novell.com). 


Netidentity Agent Does Not Automatically Authenticate User 


If users who have logged in to the network are not automatically authenticated to Web-based 
applications that take advantage of the NetIdentity wallet, they do not have access to a valid SSL 
certificate. This certificate can reside on the server or the workstation. See “Using Certificates for 
SSL” on page 12. 
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